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[57] ABSTRACT 

A microcomputer which is operable in either an internal 
program mode, wherein the microcomputer functions 
in accordance with an internally stored program, or in 
an external program mode, wherein the microcomputer 
functions in accordance with a program stored in a 
memory external to the microcomputer, provides inter- 
nal RAM security during the external program mode. 
The microcomputer includes an internal program mem- 
ory for internally storing programs; a bus for connec- 
tion to an external memory for carrying programs from 
the external program memory; a nonsecure RAM for 
storing nonsecure data; a secure RAM for storing se- 
cure data; a central processing unit for processing the 
stored data and/or externally provided data either in 
accordance with the internally stored programs or in 
accordance with programs stored in the external mem- 
ory; and a controller for controlling interconnections 
between the internal program memory, the bus, the 
RAMs and the central processing unit in accordance 
with the mode of operation of the microcomputer; 
wherein during the external program mode, the control- 
ler inhibits access to the secure RAM. Code for access- 
ing the secure data stored in the secure RAM is con- 
tained in a program stored in the internal program mem- 
ory. The microcomputer is ideally suited for perform- 
ing cryptographic operations utilizing cryptographic 
keys stored in or derived from the secure memory. 

2 Claims, 1 Drawing Sheet 
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for controlling interconnections between the internal 
MICROCOMPUTER WITH INTERNAL RAM program memory, the bus, the RAMs and the central 

SECURITY DURING EXTERNAL PROGRAM processing unit in accordance with the mode of opera- 
MODE tion of the microcomputer; wherein during the external 

5 program mode, the controller inhibits access to the 
BACKGROUND OF THE INVENTION secure RAM, wherein during said .internal program 

The present invention generally pertains to mi- mode » controlling means inhibits the central pro- 
crocomputers and is particularly directed to providing cessing unit from responding to instructions from the 
security for data stored in the microcomputer when the external program memory; and wherein the controlling 
microcomputer is operated in an external program 10 means may be placed in the external program mode in 
mode. direct response to only instructions from the internal 

A microcomputer essentially includes an internal program memory. Code for accessing the secure data 
program memory for internally storing programs; a bus stored in the secure RAM is contained in a program 
for carrying data to and from the microcomputer; a stored in the internal program memory, 
random access memory (RAM) for storing data; a cen- 15 The microcomputer of the present invention is ide- 
tral processing unit for processing said stored data and- ally suited for performing cryptographic operations, 
/or data received over the bus in accordance with the For cryptographic operations, the internal program 
internally stored programs; and a controller for control- memory stores a program for performing cryptographic 
ling interconnections between the internal program operations upon data; and the secure RAM stores cryp- 
memory, the bus, the RAM and the central processing 20 tographic key data required for performing the crypto- 
unit in accordance with the mode of operation of the graphic operations. 

microcomputer. Additional features of the present invention are de- 

For microcomputers that do not have an external scribed in relation to the description of the preferred 
program mode, wherein the operation of the microcom- embodiment, 
puter is in accordance with a program stored in an 25 

internal memory, the security of the data stored in the BRIEF DESCRIPTION OF THE DRAWING 
internal RAM is under the control of the program The FIG. 1 of the drawing is a diagram of a preferred 
stored in the internal memory, and thereby security of embodiment of ^ microcomputer of the present inven- 
such data may be assured. However, internal memory ^ ^ to ^ extemal ^ me 
sue is limited and may be enlarged only up to a certain 30 

point at which further expansion is not economically DESCRIPTION OF THE PREFERRED 

feasible because of increased silicon area and cost. Thus, EMBODIMENT 
for many applications, a microcomputer having an ex- Referri t0 ^ o^g, the preferred embodiment 
ternal program mode of operat.on >s preferred for eco- microcomputer 10 of the present uivention in- 

nomic reasons. 35 ^ /Inmn • * i 

In a prior art microcomputer having an external pro- cludes a central Pressing unit (CPU) 12 an internal 
gram mode of operation, the bus is connected to exter- P ro 8^ ™ m °Z £ a ™*ecure *AM * secure 
nal memories for carrying programs from an external RAM * 8 , * uses and 24 respectively. connected to 
program memory and for carrying data to and from an ? orts A > B > C > «"» a controller. The controller 
external data memory; and the controller interconnects 40 ^eludes a memory-access-and-penpheral-control unit 
the bus to the internal RAM during the external pro- 26 > a **** control register 28, a port A data register 30, 
gram mode. Thus, operation of a prior art microcom- a port B data register 32, a port C data register 34, a first 
puter in the external program mode affords an intruder tri-state ^s driver 36 coupling the port A data register 
access to the entire internal RAM, whereby sensitive 30 to the port A data bus 20, a second tn-state bus driver 
data (such as access codes, authenticators, or secure 45 38 coupling the memory-access-and-penpheral-control 
variables) stored in the internal RAM may be accessed ™* 26 to the port A data bus 20, a third tri-state bus 
from outside the microcomputer and thereby compro- <* nv er 40 coupling the port B data register 32 to the port 
mised. B data bus 22, a fourth tri-state bus driver 42 coupling 

the memory-access-and-peripheral-control unit 26 to 
SUMMARY OF THE INVENTION 5Q the port B data bus 22, a fifth tri-state bus driver 44 

The present invention provides a microcomputer coupling the port C data register 34 to the port C data 
which is operable in either an internal program mode, bus 24, and a sixth tri-state bus driver 46 coupling the 
wherein the microcomputer functions in accordance memory-access-and-peripheral -control unit 26 to the 
with an internally stored program, or in an external port C data bus 24. The fourth tri-state bus driver 42 is 
program mode, wherein the microcomputer functions 55 bidirectional. All of the other bus drivers are unidirec- 
in accordance with a program stored in a memory ex- tional and transfer data onto the respective port A, B 
ternal to the microcomputer, without compromising the and C buses 20, 22, 24 from the microcomputer 10. 
security of data stored in a designated internal RAM. The mode control register 28 provides a signal on line 
The microcomputer of the present invention includes 48 indicating whether the microcomputer is in an inter- 
an internal program memory, for internally storing pro- 60 nal program mode or an external program mode of 
grams; a bus for connection to an external program operation. The mode indication signal on line 48 enables 
memory for carrying programs from the external pro- access to the secure RAM 18 during the internal pro- 
gram memory; a nonsecure RAM for storing nonsecure gram mode of operation and inhibits access to the se- 
data; a secure RAM for storing secure data; a central cure RAM 18 during the external program mode of 
processing unit for processing the stored data and/or 65 operation. 

externally provided data either in accordance with the The port A bus 20 is a 2-bit control bus, which pro- 
internally stored programs or in accordance with pro- vides memory timing controls. The port B bus 22 is a 
grams stored in the external memory; and a controller multiplexed address/data bus, providing eight address 
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bits and eight-bits of data for bidirectional transfer. The may be performed. Internal secure routines are exe- 

port C bus 24 provides eight additional address bits. cuted, with the results, if any, being written into the 

An external program memory 50 is coupled to the nonsecure RAM 16. Finally, the mode control register 

port A, B, and C buses 20, 22, and 24 of the microcom- 28 is accessed to select the external program mode, and 

puter 10 by a 16-bit address bus 52, an address latch 54, 5 a return is made to the calling routine in the external 

an 8-bit data bus 56, an address latch enable line 58 and program memory 50. 

a memory enable line 60. Whenever the program code provided from the ex- 
Additional input/output memory, or other peripheral ternal program memory 50 causes a switch to the inter- 
devices may share the buses 20, 22, 24 along with the naJ program mode, any following instructions from the 
external program memory 50, given appropriate ad- 10 externa ] pr0 gram memory 50 are ignored, since the 
dress decoding and interface circuitry. In the external switch t0 ^ internal program mode results in the mode 
program mode, the microcomputer 10 is, in effect, a contTO \ register 28 providing a mode indication signal 
general p impose microprocessor on foe 48 that inhibits the bus drivers 38, 42 and 46 from 
«P*a £ "^T* ^ Mgna ^ S ° ,< providing further access to the microcomputer by the 
62 and 64 respectively. 15 cxternaI program mem ory 50. Since no device is avail. 

On reset, instructions are fetched from the utenri ^ place instruction data on the internal operating 
program memory 14; and die mode control renter 28 th/resulting value of zero is interpreted by the 
is set to indicate the internal program mode, and „ ' T «. , . „ . . _r J 
thereby provides a signal on line & Enables access CPU 12 as a "do nothing" instruction The nncrocom- 
to the secure RAM 18. Such an indication on line 48 20 PUter program counter then increments upwards until 
alsoenablesthebusdrivers36,40and44torespectively f 1 ** b * e of *«? denial program memory 14 is 
transfer the contents of the port A data register 30 onto ****** * us returmn * contro1 10 ^ wternal I* 0 *™" 
the port A bus 20, the contents of the port B data 32 memory 50. . J J , 
register onto the port B bus 22, and the contents of the when the microcomputer 10 is adapted for perform- 
port C data register 34 onto the port C bus 24. At the 25 m & cryptographic operations the programs stored m the 
same time the internal program mode indication on line internal program memory 14 contain cryptographic 
48 inhibits the bus drivers 38, 42 and 46 from transfer- routines; and cryptographic keys and/or data required 
ring data. When in the internal program mode, the CPU for deriving cryptographic keys are stored in the secure 
12 has access to both the secure RAM 18 and the nonse- RAM 18. A "master" program stored in the external 
cure RAM 16, as well as to all of the peripheral regis- 30 program memory 50 can utilize program subroutines 
ters, including port A data register 30, port B data regis- stored in the internal program memory 14 to provide a 
ter 32, port C data register 34 and, mode control register "slave" cryptographic processor. This master program 
28. may be made to cause such a cryptographic processor 
When operating in the internal program mode, all to encrypt and store data, authenticate a block of data, 
instructions are executed from the internal program 35 and/or derive a new key from a previously stored key. 
memory 14; and internal bus activity is not accessible at Initially, data to be operated on by the cryptographic 
the ports of the microcomputer, In the internal program processor is placed in the nonsecure RAM 16 by the 
mode, access to external program memory is not possi- master program; and then the program branches to the 
ble. internal program memory 14 for implementing the 
After power-up initialization is complete, program 40 cryptographic processor. Cryptographic routines first 
control may be passed to the external program memory enable the secure RAM 18; then access secure data, 
50 by first setting the mode control register 28 to pro- sucn ^ cryptographic keys, from the secure RAM 18; 
vide an external-program-mode indication signal on line next perform cryptographic operations on the data; and 
48 to inhibit access to the secure RAM 18, and then fmaUy store my results of such cryptographic process- 
branching externally via bus drivers 38, 42 and 46 The 45 m in ^ t nonsecure RAM 16. The microcomputer 10 is 
external-program-mode indication signal on line 48 also ^en switched back to the external program mode to 
inhibits the bus drivers 36, 4fl I and 44 from tra^femng allow the results tQ ^ accessed from the „ onsecure 
data from the port A, B, and C data registers 30, 32 and memory 16 md 

to allow further processing in the exter- 

34 onto the port A, B, and C buses 20, 22 and 24. Pro- naJ —Q—n moc j e 

gram control may be returned to the internal program 50 ^e internal program memory 14 is a read- 
memory 14 simply by branching to it. ^ * ^ > 

When in the external program mode, the microcom- * " * v ' . , f T * !r 
puter's internal address and data buses are intercom ut " * provided ^ nonvolaUlity 
nected by the bus drivers 38, 42 and 46 to the external ^MOS with battery backup or EEPROM, for exam- 
program memory 50, and control of the microcomputer 55 The ««« RAM 18 of the microcomputer may 
is transferred to the external program memory 50. In *~ * ***** ««» data at one physical location 
the external program mode, access to the nonsecure shipped to another location where all but 
RAM 16 is allowed, while access to the secure RAM 18 properly authorized transactions are prohibited, 
is inhibited. We claim: 

In a typical operating scenario, after system reset and 60 A microcomputer that is operable in either an inter- 
initialization, control is passed to the external program na ^ program mode, wherein the microcomputer func- 
memory 50. When data is available requiring authenti- . &ons in accordance with an internally stored program, 
cation or comparison with variables stored in secure or in an external program mode, wherein the mi- 
RAM 18, the data is written into the nonsecure RAM 16 crocomputer functions in accordance with a program 
and a branch is made to an entry point in the internal 65 stored in a memory external to the microcomputer, said 
program memory 14. The mode control register 28 is microcomputer comprising 

then accessed to select the internal program mode, so an internal program memory for internally storing 

that operations using secure data with nonsecure data programs; 
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a bus for connection to an external program memory 
for carrying programs from said external program 
memory; 

a nonsecure RAM for storing nonsecure data; 
a secure RAM for storing secure data; 
a central processing unit for processing data stored in 
said nonsecure RAM, data stored in said secure 
RAM and/or externally provided data either in 
accordance with said internally stored programs or 
in accordance with programs stored in said exter- 
nal program memory; and 
means coupled to the internal program memory, the 
bus, the RAMs and the central processing unit for 
controlling interconnections between the internal 
program memory, the bus, the RAMs and the cen- 
tral processing unit in accordance with the mode of 
operation of the microcomputer, 
wherein the controlling means includes 
means for inhibiting access to the secure RAM 

during said external program mode; 
means for inhibiting the central processing unit 
from responding to instructions within a pro- 
gram carried on the bus from the external pro- 
gram memory during said internal program 
mode; and 

means for branching the microcomputer to the 
external program mode in response to only in- 
structions in a program stored in the internal 
program memory; 
wherein the internal program memory stores a pro- 
gram for causing the central processing unit to 
perform cryptographic operations upon data; 
wherein the secure RAM stores secure cryptographic 
key data required for performing said crypto- 
graphic operations; and 
wherein the external program memory stores a pro- 
gram for causing the microcomputer to perform 
the following sequence of routines: 

(a) placing in the nonsecure RAM the data upon 
which the cryptographic operations are to be per- 
formed; 

(b) branching the microcomputer to the internal pro- 
gram mode; 

(c) performance by the central processing unit in 
accordance with said stored internal program of 
said cryptographic operations on the data placed in 
the nonsecure RAM during routine (a) with said 
secure cryptographic key data stored in the secure 
RAM; and 

wherein said program for performing cryptographic 
operations stored in the internal program memory 
is adapted for causing the microcomputer to per- 
form the following sequence of routines: 

(d) storing the results of said cryptographic operation 
in the nonsecure RAM; and 

(e) branching the microcomputer back to the external 
program mode to allow the results of said crypto- 



graphic operation to be accessed from the nonse- 
cure RAM. 

2. A microcomputer that is operable in either an inter- . 
nal program mode, wherein the microcomputer func- 
5 tions in accordance with an internally stored program, 
or in an external program mode, wherein the mi- 
crocomputer functions in accordance with a program 
stored in a memory external to the microcomputer, said 
microcomputer comprising 
10 an internal program memory internally storing a pro- 
gram for causing the central processing unit to 
perform cryptographic operations upon data; 
a bus for connection to an external program memory 
for carrying programs from said external program 
15 memory; 

a nonsecure RAM for storing nonsecure data; 
a secure RAM storing secure data, including secure 
cryptographic key data required for performing 
said cryptographic operations; 
20 a central processing unit for processing data stored in 
said nonsecure RAM, data stored in said secure 
RAM and/or externally provided data either in 
accordance with said internally stored programs or 
in accordance with programs stored in said exter- 
25 nal program memory; and 

means coupled to the internal program memory, the 
bus, the RAMs and the central processing unit for 
controlling interconnections between the internal 
program memory, the bus, the RAMs and the cen- 
30 tral processing unit in accordance with the mode of 
operation of the microcomputer, 
wherein the controlling means includes means for 
inhibiting access to the secure RAM during said 
external program mode; 
35 wherein the external program memory stores a pro- 
gram for causing the microcomputer to perform 
the following sequence of routines: 

(a) placing in the nonsecure RAM the data upon 
which the cryptographic operations are to be per- 

40 formed; 

(b) branching the microcomputer to the internal pro- 
gram mode; 

(c) performance by the central processing unit in 
accordance with said stored internal program of 

45 said cryptographic operations on the data placed in 
the nonsecure RAM during routine (a) with said 
secure cryptographic key data stored in the secure 
RAM; and 

wherein said program for performing cryptographic 
50 operations stored in the internal program memory 
is adapted for causing the microcomputer to per- 
form the following sequence of routines: 

(d) storing the results of said cryptographic operation 
in the nonsecure RAM; and 

55 (e) branching the microcomputer back to the external 
program mode to allow the results of said crypto- 
graphic operation to be accessed from the nonse- 
cure RAM. 

***** 
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